On Wed, 10.12.14 09:21, Jan Synacek (jsyna...@redhat.com) wrote:
> systemd-detect-virt would print "none" when using nspawn to run a shell
> inside a container and then running systemd-detect-virt in it, because
> the shell would be PID 1, not the actuall systemd-detect-virt
> process.
So, previously the code read the env var directly from
/proc/1/environ, but that file is only readable with privs, hence I
added code to PID 1 to write the value of that env var to
/run/systemd/container which is readable without privs. Now, if you
run a shell as PID 1 that will obviously not happen and the detection
won't work after all.
Simply relying that $container is inherited from PID 1 down is
something I'd really like to avoid, though.
I have now made a change to the code that falls back to
getenv_for_pid() if /rub/systemd/container does not exist. THis will
only be ffective with perms however. The new code hence still isn't
perfect: if you boot up with only a shell as PID 1 and drop privileges
the code will still not be able to detect the container manager. Not
sure what other option we have, though.
> ---
> src/shared/virt.c | 19 ++++++-------------
> 1 file changed, 6 insertions(+), 13 deletions(-)
>
> diff --git a/src/shared/virt.c b/src/shared/virt.c
> index f9c4e67..298e005 100644
> --- a/src/shared/virt.c
> +++ b/src/shared/virt.c
> @@ -275,18 +275,10 @@ int detect_container(const char **id) {
> goto finish;
> }
>
> - if (getpid() == 1) {
> - /* If we are PID 1 we can just check our own
> - * environment variable */
> -
> - e = getenv("container");
> - if (isempty(e)) {
> - r = 0;
> - goto finish;
> - }
> - } else {
> -
> - /* Otherwise, PID 1 dropped this information into a
> + /* Check our own environment variable */
> + e = getenv("container");
> + if (isempty(e)) {
> + /* PID 1 dropped this information into a
> * file in /run. This is better than accessing
> * /proc/1/environ, since we don't need CAP_SYS_PTRACE
> * for that. */
> @@ -300,7 +292,8 @@ int detect_container(const char **id) {
> return r;
>
> e = m;
> - }
> + } else
> + r = 0;
>
> /* We only recognize a selected few here, since we want to
> * enforce a redacted namespace */
> --
> 1.9.3
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
